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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re application of: Confirmation No,. 1004 

RaeK. Burns, etal. Group Art Unit No, 2164 

Serial No, 10/006,543 Examiner: Wong, Leslie 

Filed: November 30, 2001 

For- TECHNIQUES FOR ADDING MULTIPLE 
SECURITY POLICIES TO A DATABASE 
SYSTEM 



Declaration Under 37 CFR 1.131 



Sir: 



We, RAE K. BURNS, and PATRICK F. SACK, and VIKRAM REDDY PESATI, 

pursuant to 37 CFR 1.131, declare: 

1 We are the inventors named in the above referenced patent application 

("Application"). 

2. We make this declaration for the purpose of establishing a reduction to 
practice of the inventions disclosed and claimed in the Application at a date prior to 
March 30, 2001, the effective filing date of U.S. Patent Application Publication No. 

US 2002/0143735, herein Ayi. 

3 . We conceived and reduced to practice an implementation of claims 1 - 5 and 

21-25 before the effective filing date of Ayi. 

4. We participated on a team that developed the implementation of claims 1 - - 5 
and 21 - 25 that is incorporated into an Oracle ™ database server product. After the design 
phase of the development, successful tests were run to show that the implementation worked 



OID 2001-090-01 



1 



Docket No. 50277-1774 



according to claims 1 - 5 and 21 - 25. These tests, which were conducted using standard 
internal test processes and procedures, were completed before the effective filing date of Ayi 
and were carried out in this country. 

5. Attached as Exhibit A is a true and correct print out of substantially all of test 
script file 'tzlasOl .sql'. The test script was used to test the implementation. 

6. Attached as Exhibit B is a true and correct printout of test script log file 
'tzllasOl .log 1 , which shows the results of running the test script shown in Exhibit A before the 
effective filing date of Ayi. The results show that the tests were successful. 

7. Attached as Exhibit C is a true and correct print out of substantially all of test 
script file 'tzlbacl4.sql\ The test script was used to test the implementation. 

8 . Attached as Exhibit D is a true and correct printout of test script log file 
•tzlbacl4.log', which shows the results of running the test script shown in Exhibit C before 
the effective filing date of Ayi. The results show that the tests were successful. 

9. Exhibit D has been annotated with bolded and bracketed comments that 
illustrate how Exhibit D supports the claim language of Claims 1-5 and 21-25, as required by 
the Examiner in the Office Action dated March 3 , 2006. 

1 0. Exhibits A, B, C, and D are submitted as probative of the fact that the 
successful tests referred to in paragraph 4 were executed before the filing date of Ayi. 

Each person signing below states that all statements made herein of his own 
knowledge are true and that all statements made herein on information and belief are 
believed to be true, and further, that the statements are made with the knowledge that willful 
false statements in the like so made are punishable by a fine or imprisonment or both, under 
Section 101, Title 18 of the United States Code and that such willful and false statements 
may jeopardize the validity of the application or any patent issued thereon. 
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Dated: . RA E K. BURNS 



Dated: 
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Declaration Under 37 CFR 1.131 



Sir: 



We, RAE K. BURNS, and PATRICK F. SACK, and VIKRAM REDDY PESATI, 
pursuant to 37 CFR 1.131, declare: 

1 . We are the inventors named in the above referenced patent application 
("Application"). 

2. We make this declaration for the purpose of establishing a reduction to 
practice of the inventions disclosed and claimed in the Application at a date prior to 
March 30, 2001, the effective filing date of U.S. Patent Application Publication No. 
US 2002/0143735, herein Ayi. 

3. We conceived and reduced to practice an implementation of claims 1-5 and 
21 - 25 before the effective filing date of Ayi. 

4. We participated on a team that developed the implementation of claims 1 - 5 
and 21 - 25 that is incorporated into an Oracle™ database server product. After the design 
phase of the development, successful tests were run to show that the implementation worked 
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according to claims 1 - 5 and 21-25. These tests, which were conducted using standard 
internal test processes and procedures, were completed before the effective filing date of Ayi 
and were carried out in this country. 

5. Attached as Exhibit A is a true and correct print out of substantially all of test 
script file f tdas01 .sql\ The test script was used to test the implementation. 

6. Attached as Exhibit B is a true and correct printout of test script log file 
'tzllasO l.log', which shows the results of running the test script shown in Exhibit A before the 
effective filing date of Ayi. The results show that the tests were successful 

7. Attached as Exhibit C is a true and correct print out of substantially all of test 
script file 'tzlbacj 4.sql\ The test script was used to test the implementation. 

8. Attached as Exhibit D is a true and correct printout of test script log file 
'tzlbacM.log 1 , which shows the results of running the test script shown in Exhibit C before 
the effective filing date of Ayi. The results show that the tests were successful. 

9. Exhibit D has been annotated with bolded and bracketed comments that 
illustrate how Exhibit D supports the claim language of Claims 1-5 and 21-25, as required by 
the Examiner in the Office Action dated March 3, 2006. 

10. Exhibits A, B, C, and D are submitted as probative of the fact that the 
successful tests referred to in paragraph 4 were executed before the filing date of Ayi. 

Each person signing below states that all statements made herein of his own 
knowledge are true and that all statements made herein on information and belief are 
believed to be true, and further, that the statements are made with the knowledge that willful 
false statements in the like so made are punishable by a fine or imprisonment or both, under 
Section 101, Title 18 of the United States Code and that such willful and false statements 
may jeopardize the validity of the application or any patent issued thereon. 
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Declaration Under 37 CFR 1.131 



We, RAE K. BURNS, and PATRICK F. SACK, and VIKRAM REDDY PESAT1 , 
pursuant to 37 CFR 1 .13 L declare: 

1 . We are the inventors named in the above referenced patent application 
("Application"). 

2. We make this declaration for the purpose of establishing a reduction to 
practice of the inventions disclosed and claimed in the Application at a date prior to 
March 30, 2001, the effective filing date of U.S. Patent Application Publication No. 
US 2002/0143735, herein Ayi. 

3. We conceived and reduced to practice an implementation o f claims 1 5 and 
21-25 before the effective filing date of Ayi. 

4. We participated on a team that developed the implementation of claims 1 - 5 
and 21 - 25 that is incorporated into an Oracle™ database server product. After the design 
phase of the development, successful tests were run to show that the implementation worked 
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according to claims 1-5 and 21-25. These tests, which were conducted using standard 
internal test processes and procedures, were completed before the effective filing date of Ayi 
and were carried out in this country. 

5. Attached as Exhibit A is a true and correct print out of substantially all of test 
script file 'tzlasOl.sqi'. The test script was used to test the implementation. 

6. Attached as Exhibit B is a true and correct printout of test script log file 
'tzllasOl .log', which shows the results of running the test script shown in Exhibit A before the 
effective filing date of Ayi. The results show that the tests were successful. 

7. Attached as Exhibit C is a true and correct print out of substantially all of test 
script file 'tzlbacl4.sql f . The test script was used to test the implementation. 

8. Attached as Exhibit D is a true and correct printout of test script log file 
'tzlbacl^log', which shows the results of running the test script shown in Exhibit C before 
the effective filing date of Ayi. The results show that the tests were successful. 

9. Exhibit D has been annotated with bolded and bracketed comments that 
illustrate how Exhibit D supports the claim language of Claims 1-5 and 21-25, as required by 
the Examiner in the Office Action dated March 3, 2006. 

10. Exhibits A, B ? C, and D are submitted as probative of the fact that the 
successful tests referred to in paragraph 4 were executed before the filing date of Ayi. 

Each person signing below states that all statements made herein of his own 
knowledge are true and that all statements made herein on information and belief are 
believed to be true, and further, that the statements are made with the knowledge that willful 
false statements in the like so made are punishable by a fine or imprisonment or both, under 
Section 101, Title 18 of the United States Code and that such willful and false statements 
may jeopardize the validity of the application or any patent issued thereon. 
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Exhibit A 
tzlasOl . sql ' 



$Header: tzlasOl.sql ... 



REMARK >>>> Set System Variables For Current SQLPlus Session <<< 

SET FEEDBACK 1 

SET NUMWIDTH 10 

SET PAGES I ZE 24 

SET LINESIZE 80 

SET TRIMSPOOL ON 

SET TAB OFF 

SET DEFINE ,A ' 

SET ECHO ON 

CONNECT LBACSYS/LBACSYS 
-- Create two SA policies 

EXECUTE SA_SYSDBA . CREATE_POLICY ( 1 SA1 1 , ' SAl_COL ' , * ALL_CONTROL ' ) ; 
EXECUTE SA_SYSDBA . CREATE_POLICY ( ' SA2 1 , ■ SA2_COL ' , 1 NO_CONTROL 1 ) ; 

Initialize PUBLIC labels for them 
EXECUTE SA_LABELS . CREATE_LEVEL ( ' SA1 » , 0 , ' PUBLIC ' , ■ PUBLIC Level ' ) ; 
EXECUTE SA_LABELS . CREATE_LEVEL ( 1 SA2 » , 0 , ■ PUBLIC » , ■ PUBLIC Level f ) ; 

EXECUTE SA_LABEL_ADMIN.CREATE_LABEL( 'sal' , 10 # 'public' ) ; 
EXECUTE SA_LABEL_ADMIN . CREATE _LABEL ( ' sa2 » , 10 , ' public ' ) ; 

-- Setup some labels for policy SA1 

EXECUTE SA_LABELS . CREATE_LEVEL ( ' sal MO , ' c ' , ' confidential • ) ; 
EXECUTE SA__LABELS . CREATE_LEVEL ( ' sal ' , 2 0 , ' s ' , ' SECRET ' ) ; 
EXECUTE SA_LABELS . CREATE_LEVEL ( ' sal ' , 30 , ' ts ' , ' Top Secret 1 ) ; 

EXECUTE SA__LABELS . CREATE_COMPARTMENT ('sal', 5, 'A', ' ALPHA ' ) ; 
EXECUTE SA_LABELS . CREATE_COMPARTMENT ( ' sal ' , 10 , ' b ' , ' beta ' ) ; 

EXECUTE SA_LABELS . CREATE J3ROUP ( * sal ' , 5 , ' Gl ' , » group 1 1 ) ; 
EXECUTE SA_LABELS . CREATE_GROUP ( ' sal ' , 51 , 1 G2 ' , ' group 2 ' , 1 Gl ' ) ; 
EXECUTE SA_LABELS . CREATE_GROUP ( ' sal 1 , 52 , ' G3 1 , ' group 3 * , ' Gl ' ) ; 

EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( ' sal ' , 2 0 0 , ' c 1 ) ; 

EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( » sal ' , 225, 'C:b,a'); 

EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( 1 sal 1 , 2 10 , ' C : a 1 ) ; 

EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( ' sal ' , 2 05 , ' C : : g2 ' ) ; 

EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( ' sal 1 , 3 0 0 , ' s ' ) ; 

EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( ' sal ' # 3 10 , 1 S : a ' ) ; 

-- Generate some labels 

SELECT LABEL__TO_CHAR ( TO_SA_LABEL ( 1 sal 1 , 1 C : a : gl 1 ) ) FROM DUAL; 
SELECT LABEL_TO_CHAR (TO_SA_LABEL ( ' sal » , ' S : a , b ' ) ) FROM DUAL ; 
SELECT LAB E L_TO__CHAR (TO_SA_LABEL ( ' sal 1 , 1 public : a : gl ' ) ) FROM DUAL 



COL PO L I C Y_NAME FORMAT A15 

COL LABEL FORMAT A20 

SELECT * FROM DBA SA LABELS; 



col labelvalue format a2 0 
col policy_name format alO 
SELECT * from dba_sa_labels ; 

Set user labels 
EXECUTE SA_USER_ADMIN. SET_LEVELS ( ' sal 1 , 1 SCOtt ' , ' S » , ' C ' ) ; 
EXECUTE SA_USER_ADMIN . SET_COMPARTMENTS ( ' sal ' , ■ SCOtt ' , 1 a , b 1 ) ; 
EXECUTE SA_USER_ADMIN. SETJ3R0UPS ( 1 sal » , ' SCOtt ' , ' Gl ' ) ; 
SELECT * FROM dba_sa_user_levels ORDER BY policy_name, user_name; 
SELECT * FROM dba_sa_user_compartments ORDER BY policy_name, user 
SELECT * f ROM dba_sa_use regroups ORDER BY policyjiame, user_name; 

-- Look at session labels 
CONNECT scott/tiger 

create or replace FUNCTION get_list (pol IN VARCHAR2) 
RETURN VARCHAR2 IS 

test_list lbacsys . lbac_label_list ; 
begin 

test_list : =lbac_session. ef f ective_labels (pol) ; 
RETURN label_list_to_named_char (test_list, 'effective') ; 
END; 

/ 

select get_list ( ' sal ' ) from dual; 
select get_list ( ' sa2 ' ) from dual; 
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Exhibit B 
tzlasOl . log ' 



SQL> ©tzlasOl 
SQL> 

SQL> CONNECT LBACS YS / LBACSYS 

Connected. 

SQL> 

SQL> -- Create two SA policies 

SQL> EXECUTE SA_SYSDBA . CREATE__POLICY ( ' SA1 1 , ' SAl_COL 1 , ' ALL_CONTROL ' ) / 
PL/ SQL procedure successfully completed. 

SQL> EXECUTE SA_SYSDBA. CREATE_POLICY ( 1 SA2 * , ' SA2__COL ' , 1 NO_CONTROL ' ) ; 

PL/ SQL procedure successfully completed. 

SQL> 

SQL> -- Initialize PUBLIC labels for them 

SQL> EXECUTE SA_LABELS . CREATE_LEVEL ( ' SA1 ' , 0 , ' PUBLIC 1 , 1 PUBLIC Level ' ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABELS . CREATE_LEVEL ( ' SA2 ' , 0 , ' PUBLIC » , 1 PUBLIC Level ■ ) ; 

PL/ SQL procedure successfully completed. 

SQL> 

SQL> EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( 1 sal ' , 10 , » public 1 ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( » sa2 ',10 , » public « ) ; 
BEGIN SA_LABEL_ADMIN . CREATE_LABEL ( ' sa2 ',10 , 'public " ) ; END; 



ERROR at line 1: 

ORA-12432: LBAC error: Label with the given label_tag: 10 already exists 
ORA-06512: at "LBACSYS . LB AC_STANDARD " , line 0 
ORA-06512: at "LBACSYS . LB AC_LABEL_ADM IN" , line 57 
ORA-06512 : at line 1 



SQL> 

SQL> -- Setup some labels for policy SA1 

SQL> EXECUTE SA_LABELS . CREATE_LEVEL ( ' sal ' , 10 , 1 c 1 , ' confidential ' ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABELS . CREATE_LEVEL ( 1 sal ' , 20 , » s 1 , » SECRET ' ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_L ABELS . CREATE_LEVEL ( ' sal ' , 3 0 , 1 ts ' , 1 Top Secret ' ) / 

PL/SQL procedure successfully completed. 

SQL> 

SQL> EXECUTE SA_LABELS . CREATE_COMPARTMENT ( ' sal ' , 5 , ' A ' , ' ALPHA ' ) ; 



PL/ SQL procedure successfully completed. 

SQL> EXECUTE SA_LABELS . CREATE_COMPARTMENT ( ' sal ' , 10 , ■ b ? , » beta 1 ) ; 

PL/ SQL procedure successfully completed. 

SQL> 

SQL> EXECUTE SA_LABELS . CREATE_GROUP ( 1 sal ■ , 5 , ' Gl 1 , ' group 1 ' ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABELS . CREATE_GROUP ( ■ sal ' , 51 , 1 G2 » , 1 group 2 1 , 1 Gl 1 ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABELS . CREATE J3R0UP ( ' sal ' , 52 , 1 G3 1 , ' group 3 ' , ' Gl 1 ) ; 

PL/SQL procedure successfully completed. 

SQL> 

SQL> EXECUTE SA_LABEL_ADM IN . CREATE__LABEL ('sal', 200,' c ' ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( 1 sal 1 , 225 , 1 c :b, a 1 ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABEL_ADMIN . CRE ATE_L AB E L ( » sal » , 2 10 , 1 C : a 1 ) ; 
PL/ SQL procedure successfully completed. 

SQL> EXECUTE SA_LABEL_ADMIN . CRE ATE__LAB E L ( 1 sal » , 2 05 , 1 C : : g2 1 ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_LABEL_ADMIN . CREATE_LABEL ( 1 sal ' , 300 , ' s » ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE S A_L AB E L_ADM I N . CREATE_LABEL ( ' sal » , 3 10 , ' s : a » ) ; 

PL/SQL procedure successfully completed. 

SQL> 

SQL> -- Generate some labels 

SQL> SELECT LABEL_TO_CHAR ( TO_SA__LABEL ( ' sal ' , ' c : a : gl 1 ) ) FROM DUAL; 
LABEL_TO_CHAR (TO_SA_LABEL ( ' SA1 ' , ■ C : A : Gl » ) ) 

C:A:G1 

1 row selected. 

SQL> SELECT LABEL_TO_CHAR (TO_SA_LABEL ( ■ sal \ • S : a, b * ) ) FROM DUAL; 



LABEL JTO_CHAR (TO_SA_LABEL ( ■ SA1 1 , » S : A, B ' ) ) 



S:A,B 

1 row selected. 

SQL> SELECT LABEL_TO_CHAR (TO_SA_LABEL { ' sal ' , ■ public : a : gl ' ) ) FROM DUAL; 
LABELJTO_CHAR ( TO_SA_LABEL ( ' SA1 1 , ' PUBLIC : A : Gl ' ) ) 



PUBLIC: A :G1 

1 row selected. 

SQL> 

SQL> COL POLICY_NAME FORMAT A15 

SQL> COL LABEL FORMAT A2 0 

SQL> SELECT * FROM DBA_SA_LABELS ; 



POL I C Y_NAME LABEL LABEL TAG LABEL TYPE 



SA1 




PUBLIC 


10 USER LABEL 


SA1 




C 


2 00 USER/DATA LABEL 


SA1 




C: :G2 


2 05 USER/DATA LABEL 


SA1 




C:A 


210 USER/DATA LABEL 


SA1 




C:A,B 


225 USER/DATA LABEL 


SA1 




S 


3 00 USER/DATA LABEL 


SA1 




S:A 


310 USER/DATA LABEL 


SA1 




C:A:G1 


1000000000 USER/DATA LABEL 


SA1 




S:A,B 


1000000001 USER/DATA LABEL 


SA1 




PUBLIC:A:G1 


1000000002 USER/DATA LABEL 


10 rows 


selected. 




SQL> 








SQL> 


col 


labelvalue format a2 0 




SQL> 


col 


policy_name format alO 




SQL> 


SELECT * from dba_sa_labels ; 


POLICY_NAM LABEL 


LABELJTAG LABEL_TYPE 


SA1 




PUBLIC 


10 USER LABEL 


SA1 




C 


2 00 USER/DATA LABEL 


SA1 




C: :G2 


205 USER/DATA LABEL 


SA1 




C:A 


210 USER/DATA LABEL 


SA1 




C:A,B 


225 USER/DATA LABEL 


SA1 




S 


3 00 USER/DATA LABEL 


SA1 




S:A 


310 USER/DATA LABEL 


SA1 




C:A:G1 


1000000000 USER/DATA LABEL 


SA1 




S:A,B 


1000000001 USER/DATA LABEL 


SA1 




PUBLIC:A:G1 


1000000002 USER/DATA LABEL 



10 rows selected. 



SQL> 



SQL> Set user labels 

SQL> EXECUTE SA_USER_ADMIN . SET_LEVELS ( ' sal » , ' scott ' , ' s 1 , 1 c ' ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_USER_ADMIN . SET_COMPARTMENTS ( ' sal » , ' scott ■ , ■ a , b ' ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE SA_USER_ADMIN . SETJ3R0UPS ( ' sal 1 , ' scott ' , 1 Gl ' ) ; 
PL/ SQL procedure successfully completed. 

SQL> SELECT * FROM dba_sa_user_levels ORDER BY policy_name # user_name; 
POLICY NAM USER NAME MAX LEVEL 



MIN_LEVEL 
ROW LEVEL 



DEF LEVEL 



SA1 

C 

S 



SCOTT 



1 row selected. 

SQL> SELECT * FROM dba_sa_user_compartments ORDER BY policy__name, user_name; 

POLICY_NAM USE RENAME COMP RW_AC 

D 



SA1 

Y 

Y 

SA1 

Y 

Y 



SCOTT 



SCOTT 



B 



WRITE 



WRITE 



2 rows selected. 

SQL> SELECT * fROM dba_sa_user_g roups ORDER BY policy_name , user_name; 

POLICY_NAM USER_NAME GRP 
D 



RW AC 



SA1 
Y 



SCOTT 



Gl 



WRITE 



Y 



1 row selected. 
SQL> 

SQL> -- Look at session labels 
SQL> CONNECT scott/tiger 
Connected. 
SQL> 

SQL> create or replace FUNCTION get_list (pol IN VARCHAR2) 

2 RETURN VARCHAR2 IS 

3 test_list Ibacsys . lbac_label_list ; 

4 begin 

5 test_list : =lbac_session. ef f ective_labels (pol) ; 

6 RETURN label_list_to_named_char (test_list , 'effective'); 

7 END; 

8 / 

Function created. 
SQL> 

SQL> select get_list ( ' sal ' ) from dual; 
GET_LIST ( 1 SA1 1 ) 



MAX READ LABEL='S:A,B:G1,G2,G3 ' , MAX WRITE LABEL= ' S : A, B : Gl , G2 , G3 ' , MIN WRITE 
LABEL 

= 'C»,READ LABEL= ' S : A, B : Gl ,02^3' , WRITE LABEL= ' S : A, B : Gl , G2 , G3 ' , ROW 
LABEL= ' S : A , B : G 
1,G2,G3 ' 



1 row selected. 

SQL> select get_list ( ' sa2 1 ) from dual; 
GET LIST ( ' SA2 1 ) 



1 row selected. 



SQL> 

SQL> SQL> 
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Exhibit C 
tzlbacl4 . sql ' 



$Header: tzlbac!4.sql ... 



REMARK >>>> Set System Variables For Current SQLPlus Session <<<< 

SET FEEDBACK 1 

SET NUMWIDTH 10 

SET PAGESIZE 24 

SET LINESIZE 80 

SET TRIMSPOOL ON 

SET TAB OFF 

SET DEFINE ' A 1 

SET ECHO ON 

CONNECT SCOTT/TIGER 

CREATE TABLE abc 
(COL1 VARCHAR2 (45) ) ; 

CREATE TABLE j ing 
(COL1 VARCHAR2 (45) ) ; 

GRANT ALL ON abc TO LBACSYS; 

-- This should not be allowed as the user is SCOTT 

EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' simple 1 , ' lbac$testl • , » raghu 1 ) ; 

CONNECT LBACSYS /LBACSYS 

-- Create policies in database 

EXECUTE LBAC_SYSDBA. CREATE_POLICY ( » simple ■ # 1 lbac$testl * , ' raghu ' ) ; 
EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' complex ' , 1 lbac$testl ' , 1 rghu ' ) ; 
EXECUTE LBAC_SYSDBA.CREATE_POLICY( ■ sile' , ' lbac$testl ' ) ; 

Error Conditions 

EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' complex ' , ' lbac$test 1 ' , ' aghu ' ) / 
EXECUTE LBAC_SYSDBA. CREATE_POLICY ( * dummy • , ' lbac$testl ' ) ; 
EXECUTE LBAC_SYSDBA . CREATE_POLICY ( ' new 1 , » lbac$testl ' , ' raghu ' ) ; 
EXECUTE LBAC_SYSDBA.CREATE_POLICY( 'newl2 3 1 , » lbac$ttl ' , 'xyz' ) ; 

-- This should not fail ... 
EXECUTE 

LBAC_SYSDBA.CREATE_POLICY( 1 abcdef ghi j klmnopqrstuvwxyzl234 ' , »lbac$testl f , 1 f df ' 
EXECUTE 

LBAC_SYSDBA.CREATE_POLICY( 'abcdef ghi jklmnopqrstuvwxyz • , 'lbac$testl' , • f df ' ) ; 
EXECUTE LBAC_SYSDBA. CREATE_POLICY ( 1 india ' , , lbac$testl , , -fdfefg' ) ; 

-- Add 5 policies due to max_label_policies default increase from 5 to 10. 
EXECUTE LBAC_SYSDBA . CREATE_POLICY ( » abl ■ , ' lbac$ test 1 1 , ' vcl ' ) 
EXECUTE LBAC_SYSDBA . CREATE_POLICY ( ' ab2 1 , ' lbac$testl ' , ' vc2 ' ) 
EXECUTE LBAC_SYSDBA. CREATE__POLICY ( 1 ab3 1 , ' lbac$testl 1 , ■ vc3 1 ) 
EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' ab4 * , ' lbac$testl » , 1 vc4 » ) 
EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' ab5 ■ , ' lbac$testl 1 # 1 vc5 1 ) 



-- Error Conditions 

EXECUTE LBAC_SYSDBA.CREATE_POLICY( ' abc ' , 'lbac$testl' , 'vex 1 ) ; 

EXECUTE LBAC_SYSDBA. CREATE_POLICY ( 1 simple ■ ) ; 

EXECUTE 

LBAC_SYSDBA.CREATE_POLICY( 1 abedefghij klmnopqr st uvwxy 212345 ' , 'lbac$testl' , 1 ragu » 

) ; 

Drop extra 5 policies from above. 
EXECUTE LBAC_S YSDBA . DROP_POLICY ( ' abl ' ) ; 
EXECUTE LBAC_S YSDBA . DROP_POLICY ( ' ab2 ' ) ; 
EXECUTE LBAC_S YSDBA. DROP_POL ICY ( 1 ab3 ' ) ; 
EXECUTE LBACJS YSDBA. DROP_POLICY ( 1 ab4 ' ) ; 
EXECUTE LBAC_S YSDBA. DROP_POLICY ( ' ab5 ' ) ; 

-- Let us check the policies created ... 
SELECT * 

FROM DBA_LBAC_POLICIES 
ORDER BY POL I C Y_NAME ; 

EXECUTE LB AC_S YSDBA. ENABLE_POL ICY ( » simple ' ) ; 

-- The basic objective from now on is to test the enable/disable procedures . . . 

EXECUTE LBAC_LABEL_ADMIN . CRE ATE_L AB E L ( ' simple 1 , 1, 1 A, B 1 , TRUE) / 
EXECUTE LB AC_L AB E L_ADM I N . CREATE_LABEL ( » abedefghij klmnopqr s tuvwxyz » , 2 , 'A' , 
TRUE) ; 

EXECUTE 

LBAC_USER_ADMIN. SET_USER_LABELS ( 1 abedefghij klmnopqr s tuvwxyz « , ' SCOTT ' , TO_LABEL_L 
1ST. FROM_CHAR( 'abedefghij klmnopqrs tuvwxyz' , NULL, 'A') ) ; 

SELECT * 

FROM DBA_LBAC_USER_LABELS ORDER BY USER_NAME , POL I C Y_NAME ; 

Error Conditions 
EXECUTE 

LBAC_POLICY_ADMIN. APPLY_TABLE_POLICY ( ' abedefghij klmnopqrs tuvwxyz ' , ' SCOTT ' , • abc ' 
) ; 

-- OK now 
EXECUTE 

LBAC_POLICY_ADMIN.APPLY_TABLE_POLICY( 'complex' , 'SCOTT' , 1 abc 1 , * NO_CONTROL 1 ) ; 
EXECUTE 

LBAC_POLICY_ADMIN . APPLY_TABLE_POLICY ( 1 complex ' , ' SCOTT ' , ' j ing ' , ' NO__CONTROL 1 ) ; 
EXECUTE 

LBAC_POLICY_ADMIN . APPLY_TABLE_POL I CY ( ' simple ' , ' SCOTT ' , » abc ' , ' DELETE_CONTROL » ) ; 
EXECUTE 

LBAC_POLICY_ADMIN. APPLY_TABLE_POLICY ( ' simple ' , ' SCOTT ■ , ' EMP ' , ' DELETE_CONTROL » ) ; 
EXECUTE 

LBAC_POLICY_ADMIN . APPLY_TABLE_POLICY ( ' sile ' , ' SCOTT ' , ' j ing ' , ' DELETE_CONTROL ' ) / 
CONNECT SCOTT/TIGER 
DESC abc; 



INSERT INTO abc (coll) 



VALUES ( ' f df d ' ) ; 



UPDATE abc 

SET raghu = LBACSYS . TO_LBAC_LABEL ( » simple 1 , 1 A, B • ) ; 

-- Should not allow ... 
DELETE FROM abc ; 

SELECT coll, LABEL_TO_CHAR (raghu) 
FROM abc 
ORDER BY coll; 

Error Condition 
EXECUTE LBAC_SYSDBA. DISABLE_POLICY ( ' simple ' ) ; 

CONNECT LBACSYS/ LBACSYS 

EXECUTE LBAC_SYSDBA. DISABLE_POLICY ( ' simple > ) ; 

-- Error Conditions . . . 

EXECUTE LBAC_SYSDBA.DISABLE_POLICY ( ■ abcdef ghi j klmnopqrstuvwxyzf d 1 ) ; 
EXECUTE LBAC_SYSDBA.DISABLE_POLICY ( ' abcdef ghi j klmnopqr st uvwxyz ' , ' fdf ' ) ; 

Should not delete as the disable will be effective from next session only 
DELETE FROM SCOTT . abc ; 

CONNECT SCOTT/TIGER 

SELECT coll, LABEL_TO__CHAR( raghu) 
FROM abc 
ORDER BY coll; 

Should delete now as the policy is disabled ... 
DELETE FROM abc; 

SELECT coll, LABEL_TO_CHAR (raghu) 
FROM abc 
ORDER BY coll; 

INSERT INTO abc (coll) 
VALUES ( '123233' ) ; 

-- Error Condition . . . 

EXECUTE LBACJSYSDBA. ENABLE_POLICY ( ' simple 1 ) ; 

CONNECT LBACSYS /LBACSYS 

EXECUTE LBAC_SYSDBA. ENABLE_POLICY ( ' simple » ) ; 

-- Error Conditions ... 

EXECUTE LBAC_SYSDBA. ENABLE_POLICY ( » simpler 1 ' ) ; 
EXECUTE LBAC_SYSDBA . ENABLE__POLICY ( ■ simple ' , FALSE) ; 

Should delete now as the enable will be effective only from new session 
DELETE FROM SCOTT. abc; 

CONNECT SCOTT/TIGER 



Expecting no rows . . . 
SELECT coll , LABEL_TO_CHAR (raghu) 
FROM abc 
ORDER BY coll; 

INSERT INTO abc(coll) 
VALUES ( ' 1232 1 ) ; 

-- Delete should fail ... 
DELETE FROM abc; 

SELECT coll , LAB E L_TO_CHAR (raghu) 
FROM abc 
ORDER BY coll; 

CONNECT LBACS YS / LBACS YS 



EXECUTE LBAC_SYSDBA.DROP_POLICY ( ' simple ' , TRUE) ; 
EXECUTE LBAC_SYSDBA.DROP_POLICY ( ' complex ' , FALSE) ; 
EXECUTE LBAC_SYSDBA. DROP_POLICY ( » sile 1 ) ; 

EXECUTE LBAC_SYSDBA.DROP_POLICY ( ' abcdef ghi j klmnopqrstuvwxyzl234 ' ) 
EXECUTE LBAC_SYSDBA.DROP_POLICY( 'abcdef ghi jklmnopqrstuvwxyz ' ) ; 
EXECUTE LBAC_S YSDBA . DROP__POLICY ( 1 india ■ ) ; 

- Error Conditions 

EXECUTE LBAC_S YSDBA . DROP_POLICY ( 1 adf d ' ) ; 
EXECUTE LBAC_S YSDBA. DROP_POLICY ( ' simple ' , XYZ) ; 



SELECT * 

FROM DBA_LBAC_POLICIES 
ORDER BY POL I C Y_NAME ; 

CONNECT SCOTT/TIGER 



-- Simple policy was applied on two tables (abc,emp) the hidden column should 
--be dropped as the TRUE option is set; Policy complex was applied to 
-- two tables (abc, j ing) and hidden column should not be dropped as the option 
was set to FALSE; Policy sile was applied to a table (jing) and the hidden 
-- column should not be dropped as the default option is FALSE. 



DESC abc; 
DESC jing; 
DESC EMP; 



DROP TABLE abc; 
DROP TABLE jing; 



SET ECHO OFF 



EXIT; 



Serial No. 10/006,543 
Filed November 30, 2001 



Exhibit D 
' tzlbac!4 . log' 



SQL> @tzlbacl4 
SQL> 

SQL> CONNECT SCOTT/TIGER 

Connected . 

SQL> 

SQL> CREATE TABLE abc 

2 (C0L1 VARCHAR2 (45) ) ; 

Table created. 

SQL> 

SQL> CREATE TABLE j ing 
2 (C0L1 VARCHAR2 (45) ) ; 

Table created. 

SQL> 

SQL> GRANT ALL ON abc TO LBACSYS; 

Grant succeeded. 

SQL> 

SQL> -- This should not be allowed as the user is SCOTT 

SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' simple 1 , " lbac$testl 1 , ' raghu » ) ; 
BEGIN LBAC_SYSDBA. CREATE_POLICY ( ' simple » , ' lbac$testl ' , « raghu 1 ) ; END; 

ERROR at line 1: 

ORA-06550: line 1, column 7: 

PLS-00201: identifier ' LBACSYS . LBAC_SYSDBA 1 must be declared 
ORA-06550: line 1, column 7: 
PL/SQL: Statement ignored 



SQL> 

SQL> CONNECT LBACSYS /LBACSYS 
Connected. 

[START: CLAIMS 1 and 21 

Shows a plurality of label -based policies that are created in the database; 
parameter is the policy column name] 

SQL> 

SQL> -- Create policies in database 
SQL> 

SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( 1 simple * , 1 lbac$testl 1 , » raghu » ) ; 
PL/ SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA . CREATE_POLICY ( ' complex » , ' lbac$testl ' , 1 rghu 1 ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA. CREATE__POLICY ( ' sile ' , 1 lbac$testl 1 ) ; 
PL/SQL procedure successfully completed. 



[END: CLAIMS 1 and 21] 



SQL> 

SQL> Error Conditions 

SQL> EXECUTE LB AC_S YSDBA. CREATE_POLICY ( ' complex » , ' lbac$testl ' , ' aghu ' ) ; 
BEGIN LBAC_SYSDBA. CREATE_POLICY ( » complex' , ' lbac$testl ■ , » aghu 1 ) ; END; 



ERROR at line 1: 

ORA-12447: policy role already exists for policy complex 
ORA-06512: at "LB AC SYS . LBAC_STANDARD" , line 0 
ORA-06512: at "LBACSYS . LBAC_SYSDBA" , line . * 

ORA-01921: role name ' COMPLEX_DBA ' conflicts with another user or role name 
ORA-06512: at line 1 



SQL> EXECUTE LBAC_S YSDBA . CREATE_POLICY ( ' dummy ' , ' lbac$testl ' ) ; 
BEGIN LBAC JS YSDBA. CREATE JPOLICY( 'dummy 1 , ' lbac$testl ' ) ; END; 



ERROR at line 1: 

ORA-12442: policy column "TESTLABEL" already used by an existing policy 
ORA-06512: at "LBACSYS . LBAC_S YSDBA " , line . * 
ORA-06512: at line . * 



SQL> EXECUTE LBAC_S YSDBA. CREATE_POLICY (• new » , ■ lbac$testl ' , ' raghu 1 ) ; 
BEGIN LBAC_SYSDBA.CREATE_POLICY( 'new' , ■ lbac$testl ' , 'raghu' ) ; END; 



ERROR at line 1: 

ORA-12442: policy column "RAGHU" already used by an existing policy 
ORA-06512: at "LBACSYS . LBAC_S YSDBA " , line .* 
ORA-06512: at line .* 



SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' newl23 ' , ' lbac$ttl f , 'xyz ' ) ; 
BEGIN LBAC S YSDBA. CREATE_POL ICY ( 'newl23 ' , ' lbac$ttl ' , 'xyz ' ) ; END; 



ERROR at line 1: 

ORA-12412: policy package lbac$ttl is not installed 
ORA-06512: at "LBACSYS . LBACJ3 YSDBA " , line .* 
ORA-06512: at line .* 



SQL> 

SQL> This should not fail . . . 
SQL> EXECUTE 

LBAC_S YSDBA. CREATE_POL ICY ( ' abcdef ghi j klmnopqrstuvwxyzl2 34 ' , 1 lbac$testl ' , ' f df ' ) ; 

PL/SQL procedure successfully completed. 

SQL> 

SQL> EXECUTE 

LBAC_SYSDBA. CREATE_POLICY ( ' abcdef ghi j klmnopqr st uvwxyz ' , ' lbac$testl ' , ' f df ' ) ; 
BEGIN 

LBAC_SYSDBA. CREATE__POLICY ( ' abcdef ghi j klmnopqr st uvwxyz ' , ' lbac$testl ' , ' fdf ' ) ; END; 



ERROR at line 1: 

ORA-12447: policy role already exists for policy abcdef ghijklmnopqrstuvwxyz 
ORA-06512: at "LBACSYS . LBAC__STANDARD" , line 0 
ORA-06512: at "LBACSYS . LBAC_SYSDBA" , line . * 

ORA-01921: role name 1 ABCDEFGHIJKLMNOPQRSTUVWXYZ_DBA 1 conflicts with another 
user or role name 
ORA-06512: at line 1 



SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' india 1 , • lbac$testl « , ■ fdf efg' ) ; 

PL/SQL procedure successfully completed. 

SQL> 

SQL> -- Add 5 policies due to max__labe Impolicies default increase from 5 to 10 
SQL> EXECUTE LBAC_SYSDBA . CREATE_POLICY ( ' abl 1 , 1 lbac$testl 1 , ' vcl ■ ) ; 

PL/ SQL procedure successfully completed. 

SQL> EXECUTE LBAC__SYSDBA. CREATE_POLICY ( ' ab2 ' , 1 lbac$testl ' , ' vc2 « ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( 1 ab3 1 , » lbac$testl ' , ' vc3 1 ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_JSYSDBA. CREATE_POLICY ( 1 ab4 ' , ' lbac$testl ' , * vc4 ■ ) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( ' ab5 ' , ' lbac$testl ' , • vc5 ' ) ; 

PL/SQL procedure successfully completed. 

SQL> 

SQL> Error Conditions 

SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( 1 abc ' , ' lbac$testl 1 , * vex ' ) ; 
BEGIN LBAC_SYSDBA. CREATE_POLICY ( ' abc ' , 1 lbac$testl 1 , » vex 1 ) ; END; 



ERROR at line 1 : 

ORA-12422: max policies exceeded 

ORA-06512: at "LBACSYS . LBAC_SYSDBA" , line .* 

ORA-06512: at line 1 



SQL> EXECUTE LBAC_SYSDBA. CREATE_POLICY ( 1 simple ' ) ; 
BEGIN LBAC_SYSDBA . CRE ATE_POL I C Y ( » simple ' ) ; END; 

* 

ERROR at line 1: 

ORA-06550: line 1, column 7: 

PLS-00306: wrong number or types of arguments in call to 1 CREATE_POLICY 1 
ORA-06550: line 1 # column 7: 
PL/SQL: Statement ignored 



SQL> EXECUTE 

LBAC_SYSDBA.CREATE_POLICY( ' abcdef ghi j klmnopqrstuvwxyzl2345 1 , 1 lbac$testl' , ' ragu ' ) 
BEGIN 

LBAC_SYSDBA.CREATE_POLICY ( ' abcdef ghi j klmnopqrstuvwxyz 12 345 » , 1 lbac$testl 1 , • ragu ' ) 
; END; 

* 

ERROR at line 1: 

ORA-12447: policy role already exists for policy 
abcdef ghi j klmnopqrstuvwxyz 12 34 5 

ORA-06512: at " LBACS YS . LBAC_STANDARD « , line 0 
ORA-06512: at "LBACSYS . LBAC_SYSDBA" , line .* 

ORA-01921: role name 1 ABCDEFGHI JKLMNOPQRSTUVWXYZ_DBA ' conflicts with another 
user or role name 
ORA-06512: at line 1 



SQL> 

SQL> -- Drop extra 5 policies from above. 
SQL> EXECUTE LBAC_SYSDBA . DROP_POLICY ( • abl ' ) / 

PL/ SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA . DROPJPOLICY ( ' ab2 ' ) ; 

PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA . DROP_POLICY ( ' ab3 ' ) ; 

PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA. DROP_POLICY ( 1 ab4 ' ) ; 

PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA . DROP_POLICY ( 1 ab5 ' ) ; 

PL/SQL procedure successfully completed. 

[START: CLAIMS 1 and 21 - list of policies created] 

SQL> -- Let us check the policies created ... 

SQL> SELECT * 

2 FROM DBA_LBAC_POLICIES 

3 ORDER BY POLICY_NAME; 

POLICY NAME COLUMN NAME 



PACKAGE BIN SIZE STATUS 



DEFAULT FORMAT POLICY FORMAT 



POLICY OPTIONS 



DATABASE LABELS 



ABCDEFGHIJKLMNOPQRSTUVWXYZ1234 FDF 

LBAC$TEST1 1 ENABLED 



COMPLEX RGHU 

LBAC$TEST1 1 ENABLED 



INDIA FDFEFG 

POL I C Y_NAME COLUMN_NAME 

PACKAGE BIN_SIZE STATUS 

DEFAULT_FORMAT POL I C Y_FORMAT 

POLICYJDPTIONS 

DAT ABAS E_L AB ELS 

LBAC$TEST1 1 ENABLED 



SILE TESTLABEL 
LBAC$TEST1 1 ENABLED 



SIMPLE RAGHU 

LBAC$TEST1 1 ENABLED 

POL I C Y_NAME COLUMN_NAME 

PACKAGE BINJSIZE STATUS 

DEFAULT_FORMAT POLICY_F0RMAT 

POLICY_OPTIONS 

DATABASE LABELS 



5 rows selected. 

[END: CLAIMS 1 and 21] 

SQL> 

SQL> EXECUTE LBAC_S YSDBA . ENABLE_POLICY ( ' simple 1 ) ; 

[STEP 101: "Simple" policy is enabled; STEPS 101-104 illustrate how it is 
determined "whether to perform [an] operation on a row of a table based on a set 
of labels associated with the row, the set of labels corresponding to the policy 
set", as recited by Claims 1 and 21.] 



PL/SQL procedure successfully completed. 
SQL> 

SQL> The basic objective from now on is to test the enable/disable procedures 
SQL> 

SQL> EXECUTE LBAC_LABEL_ADMIN . CREATE_LABEL ( ' simple M , ' A, B \ TRUE) ; 
[STEP 102: Label X \A # B" is associated with policy "simple".] 

PL/ SQL procedure successfully completed. 

SQL> EXECUTE LBAC_LABEL_ADMIN . CREATE_LABEL ( ' abcdef ghi j klmnopqrstuvwxyz ' , 2 , ' A ' , 
TRUE) ; 

BEGIN LB AC_LAB E L_ADM I N . CREATE_LABEL ( ' abcdef ghi j klmnopqrstuvwxyz ■ , 2 , ' A 1 , TRUE) ; 
END; 

* 

ERROR at line 1: 

ORA-12416: policy abcdef ghi j klmnopqrstuvwxyz not found 
ORA-06512: at " LBACS YS . LBAC_CACHE " , line .* 
ORA- 06512: at " LBACS YS . LBAC_LABEL_ADMIN" , line . * 
ORA-06512: at line 1 

SQL> 

SQL> EXECUTE 

LBAC_USER_ADMIN. SET_USER_LABELS ( ' abcdef ghi j klmnopqrstuvwxyz ' , 1 SCOTT 1 , TO_LABEL_LI 

ST . FROM_CHAR ( * abcdef ghi j klmnopqrstuvwxyz ' , NULL, *A» ) ) ; 

BEGIN 

LBAC_USER_ADMIN . SET_USER_LABELS ( 1 abcdef ghi j klmnopqrstuvwxyz 1 , 1 SCOTT ' , TO_LABEL_LI 
ST.FROM_CHAR( ' abcdef ghi j klmnopqrstuvwxyz • , NULL, ' A 1 ) ) ; END; 

* 

ERROR at line 1: 

ORA-01405: fetched column value is NULL 
SQL> 

SQL> SELECT * 

2 FROM DB A_LB AC__US ER_L AB ELS ORDER BY USER_NAME, POLICY^NAME; 
no rows selected 
SQL> 

SQL> Error Conditions 
SQL> EXECUTE 

LBAC_POLICY_ADMIN.APPLY_TABLE_POLICY( 1 abcdef ghi j klmnopqrstuvwxyz • , 'SCOTT' , ' abc ' ) 
/ 

BEGIN 

LBAC_POLICY_ADMIN.APPLY__TABLE_POLICY( ' abcdef ghi j klmnopqrstuvwxyz ' , 'SCOTT' , 'abc' ) 
; END; 

ERROR at line 1: 

ORA-12416: policy abcdef ghi j klmnopqrstuvwxyz not found 
ORA-06512: at " LBACS YS . LBAC_CACHE" , line .* 
ORA-06512: at "LBACSYS . LBAC_POLICY_ADMIN" , line .* 
ORA-06512: at line 1 



[START: CLAIMS 1, 2, 5, 21, 22, and 25 

For CLAIMS 1 and 21, policy "complex" is applied to jing and policies "complex" 
and "simple" are applied to table "abc". 

For CLAIMS 2 and 22, a policy column is added when a policy is applied to a 
table (e.g. "abc") . (See next bolded section on this page). 

For CLAIMS 5 and 25, policy "complex" and "simple" are the two or more policies 
of the plurality of label -based policies of table "abc"] 

SQL> 

SQL> OK now 
SQL> EXECUTE 

LBAC_POLICY_ADMIN . APPLY_TABLE_POLICY ( 1 complex 1 , ' SCOTT » , ' abc ' , ' NO_C0NTROL ' ) ; 
PL/SQL procedure successfully completed. 
SQL> EXECUTE 

LBAC_POLICY_ADMIN.APPLY_TABLE_POLICY( 1 complex 1 , ' SCOTT 1 , 'jing' , »NO_CONTROL» ) ; 
PL/SQL procedure successfully completed. 
SQL> EXECUTE 

LBAC_POLICY_ADMIN . APPLY_TABLE_POLICY ( ' simple ' , « SCOTT » , ' abc ' , ' DELETE_CONTROL ' ) ; 
PL/SQL procedure successfully completed. 
[END: CLAIMS 1, 2, 5, 21, 22, and 25] 
SQL> EXECUTE 

LBAC_POLICY_ADMIN.APPLY_TABLE_POLICY( 'simple' , 'SCOTT' , ' EMP ' , ' DELETE_CONTROL ' ) ; 
PL/SQL procedure successfully completed. 
SQL> EXECUTE 

LB AC_POL I C Y_ADM IN . APPLY_TABLE_POLICY ( ' sile ' , ' SCOTT 1 , ' j ing ' , » DELE TE__CONTROL ' ) ; 

PL/ SQL procedure successfully completed. 

SQL> 

SQL> CONNECT SCOTT/TIGER 
Connected. 

[Step 103: User 1 SCOTT' connects to the database. Note: user * SCOTT is not 
associated with any labels.] 

[START: CLAIM 2, 5, 22 and 25 

For CLAIMS 2 and 22, policy columns "RGHU" and "RAGHU" are added for policies 
"complex" and "simple". 

For CLAIMS 5 and 25, these columns are added because policies "complex" and 
"simple" are applied - i.e. "the policy set associated with the table includes 
two or more policies of the plurality of label -based policies."] 

SQL> 

SQL> DESC abc; 
Name Null? Type 

COL 1 VARCHAR2 (45) 

RGHU LBACSYS . LBAC_LABEL 

RAGHU LBACSYS. LBAC LABEL 



[END: CLAIM 2, 5, 22 and 25] 



SQL> 

SQL> INSERT INTO abc (coll) 
2 VALUES ( ' f df d ■ ) / 

1 row created. 

[START: CLAIMS 3 and 23 

Label "A,B" for policy "simple" is stored in policy column "raghu" corresponding 
to the policy.] 

SQL> 

SQL> UPDATE abc 

2 SET raghu = LBACSYS . TO_LBAC_LABEL ( « simple ' , ' A, B ' ) ; 

1 row updated. 

[END: CLAIMS 3 and 23] 

[Step 104/START: CLAIMS 1, 4, 21 and 24 

For CLAIMS 1 and 21, the following delete operation is received. It was 
previously shown which policies apply to table w abc" . Here, only policy "simple" 
is enforced on delete because DELETE_CONTROL is only specified for policy 
"simple" even though both policies "simple" and "complex" are applied. Thus, 
policy "simple", of the plurality of label -based policies ("simple" and 
"complex"), was determined to be applied to table "abc". In this example, it is 
determined that the delete operation is NOT performed based on the set of labels 
associated with the row (i.e. user "SCOTT" is not associated with any labels so 
the user is denied the ability to delete the row) . 

For CLAIMS 4 and 24, in order to determine which policies apply, it must be 
determined whether a column is a policy column] 

SQL> -- Should not allow ... 
SQL> DELETE FROM abc; 
DELETE FROM abc 
* 

ERROR at line 1: 

ORA-12406: unauthorized SQL statement for policy SIMPLE 
ORA-06512: at "LBACSYS . LBAC__STANDARD" , line 0 
ORA- 06512: at " LBACSYS . LBAC . * 

ORA-04 08 8: error during execution of trigger ' LBACSYS . LBAC . * 
[END: CLAIMS 1, 4, 21, and 24] 

[START: CLAIMS 3 and 23 

Shows that label "A, B" associated with policy "simple" is stored in policy 
column "raghu" of a row, in table "abc", with value "fdfd"] 

SQL> 

SQL> SELECT coll , LABEL_TO_CHAR (raghu) 

2 FROM abc 

3 ORDER BY coll; 

COL1 



LABEL TO CHAR (RAGHU) 



fdfd 
A, B 

1 row selected. 

[END: CLAIMS 3 and 23] 



SQL> 

SQL> -- Error Condition 

SQL> EXECUTE LBACJSYSDBA. DISABLE_POLICY ( * simple 1 ) ; 
BEGIN LBAC_SYSDBA.DISABLE_POLICY ( ' simple ' ) ; END; 

★ 

ERROR at line 1: 

ORA-06550: line 1, column 7: 

PLS-00201: identifier 1 LBACSYS . LBAC_S YSDBA 1 must be declared 
ORA-06550: line 1, column 7: 
PL/SQL: Statement ignored 



SQL> 

SQL> CONNECT LBACSYS /LBACSYS 

Connected. 

SQL> 

SQL> EXECUTE LBAC_S YSDBA . DISABLE_POLICY ( 1 simple ' ) ; 

PL/SQL procedure successfully completed. 

SQL> 

SQL> -- Error Conditions . . . 

SQL> EXECUTE LBAC__S YSDBA . DISABLE_POLICY ( ' abcdef ghi j klmnopqrstuvwxyzf d 1 ) ; 
BEGIN LBAC_SYSDBA.DISABLE_POLICY( 1 abcdef ghi j klmnopqrstuvwxyzf d 1 ) ; END; 

* 

ERROR at line 1: 

ORA-12416: policy abcdef ghi jklmnopqrstuvwxyzf d not found 
ORA-06512: at "LBACSYS . LBAC_S YSDBA " , line . * 
ORA-06512: at line 1 



SQL> EXECUTE LBAC_S YSDBA . DISABLE_POL ICY ( 1 abcdef ghi j klmnopqrstuvwxyz » , ■ fdf * ) ; 
BEGIN LBAC_SYSDBA.DISABLE_POLICY ( 1 abcdef ghi j klmnopqrstuvwxyz ■ , 1 fdf 1 ) ; END; 

* 

ERROR at line 1: 

ORA-06550: line 1, column 7: 

PLS-00306: wrong number or types of arguments in call to 1 DISABLE_POLICY ' 
ORA-06550: line 1, column 7: 
PL/SQL: Statement ignored 

SQL> 

SQL> -- Should not delete as the disable will be effective from next session 
only 

SQL> DELETE FROM SCOTT. abc; 

1 row deleted. 

SQL> 

SQL> CONNECT SCOTT/TIGER 

Connected. 

SQL> 

SQL> SELECT coll , LAB EL_TO_CHAR (raghu) 

2 FROM abc 

3 ORDER BY coll; 



no rows selected 



SQL> 

SQL> -- Should delete now as the policy is disabled ... 
SQL> DELETE FROM abc ; 

0 rows deleted. 
SQL> 

SQL> SELECT coll , LABEL_TO_CHAR (raghu) 

2 FROM abc 

3 ORDER BY coll; 

no rows selected 
SQL> 

SQL> INSERT INTO abc (coll) 
2 VALUES ( * 123233 ' ) ; 

1 row created. 
SQL> 

SQL> Error Condition ... 

SQL> EXECUTE LBAC_SYSDBA . ENABLE_POLICY ( 1 simple ■ ) ; 
BEGIN LBAC_SYSDBA. ENABLE_POLICY ( ' simple ' ) ; END; 



ERROR at line 1: 

ORA-06550: line 1, column 7: 

PLS-00201: identifier ' LBACSYS . LBACJSYSDBA' must be declared 
ORA-06550: line 1, column 7: 
PL/SQL: Statement ignored 



SQL> 

SQL> CONNECT LBACSYS /LBACSYS 

Connected. 

SQL> 

SQL> EXECUTE LBAC_S YSDBA . ENABLE_POL ICY ( ' simple 1 ) / 

PL/SQL procedure successfully completed. 

SQL> 

SQL> Error Conditions ... 

SQL> EXECUTE LBAC_S YSDBA . ENABLE_POLICY ( 1 simpler 1 » ) ; 
BEGIN LBACJSYSDBA. ENABLE_POLICY ( ' simpler 1 1 ) ; END; 

* 

ERROR at line 1: 

ORA-12416: policy simplerl not found 
ORA-06512: at "LBACSYS . LBAC_S YSDBA » , line .* 
ORA-06512: at line 1 



SQL> EXECUTE LBAC_SYSDBA . ENABLE_POLICY ( » simple 1 , FALSE) ; 
BEGIN LBACJSYSDBA. ENABLE_POLICY ( * simple 1 , FALSE) ; END; 



ERROR at line 1: 

ORA-06550: line 1, column 7: 

PLS-00306: wrong number or types of arguments in call to 1 ENABLE__POLICY 1 
ORA-06550: line 1, column 7: 
PL/ SQL : Statement ignored 

SQL> 

SQL> -- Should delete now as the enable will be effective only from new session 
SQL> DELETE FROM SCOTT . abc ; 

1 row deleted. 

SQL> 

SQL> CONNECT SCOTT/TIGER 

Connected. 

SQL> 

SQL> -- Expecting no rows . . . 

SQL> SELECT coll , LAB EL_TO_CHAR (raghu) 

2 FROM abc 

3 ORDER BY coll; 

no rows selected 
SQL> 

SQL> INSERT INTO abc (coll) 
2 VALUES (' 1232 ') ; 

1 row created. 

SQL> 

SQL> -- Delete should fail ... 
SQL> DELETE FROM abc; 
DELETE FROM abc 

ERROR at line 1: 

ORA-12406: unauthorized SQL statement for policy SIMPLE 
ORA-06512: at "LBACSYS . LBAC_STANDARD" , line 0 
ORA-06512: at "LBACSYS . LBAC . * 

ORA-04088: error during execution of trigger ' LBACSYS . LBAC . * 



SQL> 

SQL> SELECT coll , LABEL_TO_CHAR (raghu) 

2 FROM abc 

3 ORDER BY coll; 

C0L1 



LABEL TO CHAR (RAGHU) 



1232 



1 row selected. 



SQL> 

SQL> CONNECT LBACSYS/LBACSYS 

Connected. 

SQL> 

SQL> EXECUTE LBAC_S YSDBA . DROP_POLICY ( ' simple ' , TRUE) ; 
PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_S YSDBA . DROP_POLICY ( ' complex ' , FALSE); 

PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_S YSDBA . DROP_POLICY ( 1 sile » ) ; 

PL/SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA . DROP_POLICY ( ' abcdef ghi j klmnopqrstuvwxyzl234 ' ) ; 
PL/ SQL procedure successfully completed. 

SQL> EXECUTE LBAC_SYSDBA . DROP_POLICY ( ■ abcdef ghi j klmnopqrstuvwxyz 1 ) ; 
BEGIN LBAC_S YSDBA. DROP_POLICY ( ' abcdef ghi j klmnopqrstuvwxyz 1 ) ; END; 



ERROR at line 1: 

ORA-12416: policy abcdef ghi j klmnopqrstuvwxyz not found 
ORA-06512: at "LBACSYS . LBAC_STANDARD" , line 0 
ORA-06512: at "LBACSYS . LBACJSYSDBA" , line .* 
ORA-06512: at line 1 



SQL> EXECUTE LBAC_S YSDBA . DROP_POLICY ( 1 india ' ) ; 

PL/SQL procedure successfully completed. 

SQL> 

SQL> Error Conditions 

SQL> EXECUTE LBAC_SYSDBA . DROP_POLICY ( ' adf d 1 ) ; 
BEGIN LBAC_S YSDBA . DROP_POLICY ( ' adf d ' ) ; END ; 



ERROR at line 1: 

ORA-12416: policy adfd not found 
ORA-06512: at "LBACSYS . LB AC_STANDARD " , line 0 
ORA-06512: at "LBACSYS . LBAC_S YSDBA » , line .* 
ORA-06512: at line 1 

SQL> EXECUTE LBAC_SYSDBA . DROP_POLICY ( ' simple ' ,XYZ) ; 

BEGIN LBAC_S YSDBA. DROP_POLICY ( ■ simple ' ,XYZ) ; END; 

* 

ERROR at line 1: 

ORA-06550: line 1, column 40: 

PLS-00201: identifier 'XYZ' must be declared 

ORA-06550: line 1, column 7: 

PL/SQL: Statement ignored 



SQL> 



SQL> SELECT * 

2 FROM DBA_LBAC_POLICIES 

3 ORDER BY POLICY_NAME / 

no rows selected 
SQL> 

SQL> CONNECT SCOTT/TIGER 

Connected. 

SQL> 

SQL> -- Simple policy was applied on two tables (abc,emp) the hidden column 
should 

SQL> --be dropped as the TRUE option is set; Policy complex was applied to 
SQL> -- two tables (abc, jing) and hidden column should not be dropped as the 
option 

SQL> -- was set to FALSE; Policy sile was applied to a table (jing) and the 
hidden 

SQL> -- column should not be dropped as the default option is FALSE. 
SQL> 

SQL> DESC abc; 
Name Null? Type 



C0L1 
RGHU 



VARCHAR2 (45) 
LBACSYS . LB AC LABEL 



SQL> DESC jing; 
Name 



Null? 



Type 



COL1 
RGHU 

TESTLABEL 



VARCHAR2 (45) 
LBACSYS . LBAC_LABEL 
LBACSYS. LBAC LABEL 



SQL> DESC EMP; 
Name 



Null? 



Type 



EMPNO 
ENAME 
JOB 
MGR 

HI RED ATE 
SAL 
COMM 
DEPTNO 



NOT NULL NUMBER (4) 

VARCHAR2 (10) 
VARCHAR2 (9) 
NUMBER (4) 
DATE 

NUMBER (7 ,2) 
NUMBER (7, 2) 
NUMBER (2) 



SQL> 

SQL> DROP TABLE abc; 



Table dropped. 

SQL> DROP TABLE jing; 

Table dropped. 



SQL> 

SQL> SET ECHO OFF 



